Otto background

What is Microsoft Endpoint Manager?

What is Microsoft Endpoint Manager (MEM)?

Microsoft Endpoint Manager (MEM) is Microsoft’s Unified Endpoint Manager (UEM). Gartner defines UEMs as “any tool that provides both agent and agentless management of computers and mobile devices through a single console with a user-centric view.”

UEMs should manage Windows 10, macOS, Chrome OS, Apple iOS/iPadOS, and Android. Microsoft accomplishes UEM capabilities through uniting SCCM and Intune underneath the hood within a single console called “Microsoft Endpoint Manager.”

How does MEM work?

As we mentioned MEM doesn’t do the work itself, existing tools like SCCM and Intune are the workhorses executing and enforcing policy, deploying and configuring devices, gathering inventory details, and more. MEM is simply the unifying console to bring the experiences, capabilities, and data sets under one web-based management console.

What OSes are covered with MEM?

MEM can manage the following OSes:

  • Windows 10 and 11, and legacy versions like 8.1 (agent-based with SCCM)

  • Android 8.0+, Android Enterprise

  • Apple macOS 10.15+, iPadOS 13.0+, iOS 13.0+

  • Windows Server 2012-2022

  • Windows devices in Azure Virtual Desktop

  • Windows embedded devices (IoT), think point-of-sales and other types of lightweight devices

Does MEM work with third-party software?

MEM has similar restrictions to both SCCM and Intune. As a result, updating and enforcing third-party patching is still a major pain point for many organizations. Some even opt for additional third-party purchases to help manage these updates.

What can MEM do?

Again, MEM unites SCCM and Intune under a single console. As a result, the management capabilities are the same as with those tools, depending on whether the device is enrolled in Intune or has the SCCM agent installed (or both).

If you’re considering MEM, there are a few options for managing devices between SCCM and Intune under MEM. Organizations choose between Tenant attach or co-management.

Generally, Tenant attach is considered the first stage for an organization using SCCM to begin migration to cloud-based management. Tenant attach connects SCCM to MEM so you can view devices there along with any Intune-managed device, but keeps the management workloads in SCCM.

After attaching SCCM to MEM, organizations can begin to co-manage devices using both Configuration Manager (SCCM) and Intune. This is where some of the management work will be completed from the cloud with Intune, and other management workloads will remain in SCCM.

Ultimately, the third stage of management would be to migrate all management workloads away from SCCM and into the cloud with Intune. However, some operating systems like Windows Server cannot be managed in Intune, so many organizations will be left with SCCM or another tool to manage these systems.

Below is a diagram provided by Microsoft to illustrate the stages above:

What are the licensing requirements for MEM?

To license MEM, you’ll need to have purchased one of the following bundles from Microsoft.

  • Microsoft 365 E5

  • Microsoft 365 E3

  • Enterprise Mobility + Security (EMS) E5

  • Enterprise Mobility + Security (EMS) E3

  • Microsoft 365 Business Premium

  • Microsoft 365 F1

  • Microsoft 365 F3

  • Microsoft 365 Government G5

  • Microsoft 365 Government G3

Licensing can be extremely complex, and the capabilities of MEM can vary based on the license you’ve purchased from Microsoft. In order to use MEM with both Intune and SCCM, you’ll also need those licenses or bundles.

A good rule of thumb is that if you’re fully licensed for Intune, you’ll also have SCCM and MEM licenses.

What else is required to use MEM?

The requirements for MEM boil down to a combination of Intune and SCCM requirements.

To run SCCM effectively, you’ll need the following:

  • SQL Database

  • WSUS

  • To eliminate VPNs for SCCM’s agent-based management, you’ll also need to configure and manage a Cloud Management Gateway (CMG) server or migrate those workloads to Intune.

Both Intune and MEM require a connection to Azure Active Directory, which is a cloud-hosted Active Directory. Historically, this has only existed on-prem. Thus, your devices must either be purely Azure AD-joined, or Hybrid Azure AD-joined (a combination of on-prem AD and Azure AD).

To use features like automatic MDM enrollment in MEM, you’ll need Azure AD Premium, which requires the purchase of an Enterprise Mobility + Security (EMS) subscription.

Should you use MEM?

When considering MEM, it’s important to remember that some of the key pain points with tools like SCCM and Intune are not solved by MEM, because MEM is primarily uniting the two tools under a single console and helping organizations to migrate legacy on-prem management to the cloud (Intune).

If you’re struggling today with third-party patching or managing Linux devices – MEM will not address either of these issues. You’ll also still need to manage Intune and/or SCCM on the back end if you plan to use any of their management capabilities. So, if you’re running Windows Server you’ll need to keep SCCM and manage the existing legacy infrastructure associated with it.

However, large organizations struggling or unwilling to migrate device management from SCCM to the cloud may find MEM a reasonable option to slowly move from SCCM for intune for eligible devices.


Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...